b'Department of Health and Human Sewices\n\n        OFFICE OF\n\n   INSPECTOR GENERAL\n\n\n\n\n\nELECTRONIC DATA INTERCHANGE\n\n AND PAPERLESS PROCESSING:\n\n\n     ISSUES AND CHALLENGES\n\n\n\n\n\n                 f,* SERVICE$\xe2\x80\x9cLfa\n             &\n         $                    7\n                                    JUNE  GIBBS BROWN\n         g\n         <                          Inspector  General\n         2\n         \xe2\x80\x983\n          %#-\n                 2\n                  #\n\n                 %d~~\n                                           MARCH    1994\n                                           oEI-12-93-Oooso\n\x0c                       OFFICE OF INSPECTOR GENERAL\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human SeMces\xe2\x80\x99 (HHS)\nprograms as well as the health and welfare of beneficiaries served by those programs. This\nstatutory mission is carried out through a nationwide network of audits, investigations, and\ninspections conducted by three OIG operating components: the Office of Audit SeMces, the\nOffice of Investigations, and the Office of Evaluation and Inspections. The OIG also informs\nthe Secretary of HHS of program and management problems and recommends courses to\ncorrect them.\n\n                          OFFICE OF AUDIT SERVICES\n\nThe OIGS Office of Audit Services (OAS) provides all auditing services for HHS, either by\nconducting audits with its own audit resources or by overseeing audit work done by others.\nAudits examine the performance of HHS programs and/or its grantees and contractors in\ncarrying out their respective responsibilities and are intended to provide independent\nassessments of HHS programs and operations in order to reduce waste, abuse, and\nmismanagement and to promote economy and efficiency throughout the Department.\n\n                          OFFICE OF INVESTIGATIONS\n\nThe OIGS Office of Investigations (01) conducts criminal, civil, and administrative\ninvestigations of allegations of wrongdoing in HHS programs or to HHS beneficiaries and of\nunjust enrichment by providers. The investigative efforts of 01 lead to criminal convictions,\nadministrative sanctions, or civil money penalties. The 01 also oversees State Medicaid fraud\ncontrol units which investigate and prosecute fraud and patient abuse in the Medicaid program.\n\n               OFFICE OF EVALUATION AND INSPECI\xe2\x80\x99IONS\n\nThe OIGS Office of Evaluation and Inspections (OEI) conducts short-term management and\n\nprogram evaluations (called inspections) that focus on issues of concern to the Department,\n\nthe Congress, and the public. The findings and recommendations contained in these inspection\n\nreports generate rapid, accurate, and up-todate information on the efficiency, vulnerability,\n\nand effectiveness of departmental programs. This report was prepared under the direction of\n\nPenny Thompson, Chief, Health Care Branch, Office of Evaluation and Inspections.\n\nParticipating in this project were the following primary authors:\n\n\nThomas    A. Noplock, Office of Evaluation and Inspections\n\nStephen   W. Greenfield, Office of Audit SeMces\n\nThomas    R. Hoffman, Office of General Counsel, Inspector General Division\n\nThomas    J. Elliott, Office of Audit Services\n\n\nFor additional copies of this report, please contact Thomas A. Noplock at (410) 966-3144.\n\n\x0cDepartment of Health and Human Services\n\n        OFFICE OF\n\n    NSPECTOR GENERAL\n\n\n\n\n\nELECTRONIC DATA INTERCHANGE\n\n AND PAPERLESS PROCESSING:\n\n\n     ISSUES AND CHALLENGES\n\n\n\n\n\n          MARCH   1994   OEI-12-93-00080\n\n\x0c              EXECUTIVE                        SUMMARY\n\nPURPOSE\n\nThe purpose of this document is to (1) identi~ emerging issues in the expansion of the\nHealth Care Financing Administration\xe2\x80\x99s (HCFA) use of electronic data interchange\n(EDI) and related technology to achieve paperless processing, and (2) discuss the\nOffice of Inspector General\xe2\x80\x99s (OIG) current plans to provide oversight of HCFA\xe2\x80\x99S\nstrategy to implement a paperless environment. We have developed it through a\nreview of literature and consultation within the OIG, and with HCFA and others.\n\nBACKGROUND\n\nElectronic Data Interchange is the electronic transfer of information, such as\nelectronic media claims, in a standard format between trading partners. As it relates\nto health care, this new technology will allow entities within the health care system,\nconnected by an integrated system of electronic communication networks, to exchange\nmedical, billing, and other information and process transactions in a manner which is\nfast and cost effective. Most of these improvements are likely to result from the\nsignificant reduction or elimination of paper transactions.\n\nISSUES\n\nThe HCFAS far-reaching implementation of EDI and paperless processing contains\nmany parts which all relate to the larger strategy and goals of this initiative. Among\nthe significant issues affecting this strategy are the following:\n\nF\t    Systems--such as the Medicare Transaction System (MTS), Medicaid\n      Management Information Systems (MMIS), and point-of-service claims\n      management systems under Medicaid--to process electronically submitted claims\n      and manage data more efficiently.\n\xef\xbf\xbd     Standardization, to facilitate the electronic flow of claims, patient, and\n      reimbursement data between providers, payers, and quality-of-care reviewers.\n\xef\xbf\xbd     Incentives and barriers, to encourage providers to submit claims and patient data\n      electronically.\n\xef\xbf\xbd\t    Companion technologies, such as smart cards for computerized patient\n      identification and medical records, and national data communications networks\n      for transmission of health care data to complete the electronic cycle.\n\nWe discuss the need for a cohesive strategic systems plan covering EDI and paperless\nprocessing, to encourage HCFAS information resources management program to\naddress Medicare contractor systems and Federal Medicaid initiatives.\n\x0cThe implementation of these new systems, in particular, carries with it myriad\nquestions regarding trustworthiness and reliability of data as it moves from one partner\nin electronic commerce to another and from one process to another. Specific issues\nraised with regard to electronic submission and processing of claims include:\n\nF\t     Confidentiality and privacy of patient records, to ensure that the confidentiality of\n       personally-identifiable health insurance data be strictly maintained and\n       the privacy of patients be maintained.\n\xef\xbf\xbd\t     Internal controls, to address the adequacy of management controls over\n       operations and specific requirements for controls to safeguard assets\n       against waste, fraud, and abuse.\n\xef\xbf\xbd\t     Audits and certification, to place more focus on systems at the provider\n       level and to ensure that all EDI and paperless processing systems are\n       trustworthy and reliable.\n\xef\xbf\xbd\t     Contractor con.ict of interest, to pursue the Medicare contractor conflict\n       of interest issue as it relates to proprietary EDI and paperless processing\n       market-driven ventures.\nF\xef\xbf\xbd     Valid contracts, to determine the degree of compliance of current and\n       planned Medicare contract requirements with the National Institute of\n       Standards and Technology standards.\n\xef\xbf\xbd\t     Legal use of information submitted, to ensure the integrity of information\n       through the use of provider agreements, a valid chain of custody,\n       attestation and originator authentication, and the need for audit trails.\n\nCONCLUSION\n\nThis document, prepared in response to HCFAS briefing for OIG personnel on EDI\nand paperless processing issues and its request for more information on the OIG\xe2\x80\x99S\nconcerns and plans, has identified numerous issues and goals related to HCFA\xe2\x80\x99S use of\nEDI and paperless processing technology. Issues related to the overall strategy of this\ninitiative concern the development of various systems which will allow HCFA to\nprocess electronically submitted claims more efficiently. Other broad issues are\nstandardization, incentives, companion technologies, Medicare contractor systems, and\nFederal Medicaid initiatives.\n\nThis document also raises issues regarding the trustworthiness and reliability of data as\nit moves from one partner in electronic commerce to another and from one process to\nanother. These issues include confidentiality and privacy, management controls over\noperations, internal controls, audits and systems certifications, Medicare contractor\nconflict of interest, validity of contracts, and the integrity of information. Besides\nhaving a significant impact on HHS and HCFA\xe2\x80\x99S ability to manage the Medicare and\nMedicaid programs, these issues are critical to the detection of fraud and abuse. We\nplan to analyze many of these issues for the purpose of preparing our workplan over\nthe next few years.\n\n\n\n\n                                             ii\n\x0cAGENCY COMMENTS\n\nThe Health Care Financing Administration (HCFA) commented on a draft version of\nthis report. The HCFA suggested changes in the report to better reflect its activities\nand those of the Department with respect to EDI and paperless processing, made\nsuggestions about the focus of OIG\xe2\x80\x99S work in this area, and gave us technical\ncomments. We have revised our report to address many of HCFA\xe2\x80\x99S comments and\nalso provide additional comments on HCFA\xe2\x80\x99S response in Appendix B. The full text\nof HCFA\xe2\x80\x99S comments can be found in Appendix A.\n\n\n\n\n                                          ...\n                                          111\n\x0c                    TABLE                     OF CONTENTS\n\n EXECUTIVE     SUMMARY\n\n\n INTRODUCTION          . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..1\n\n\n ISSUES    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...3\n\n\n    POLICY DIRECTION                . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...3\n\n\n          SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...3\n\n\n          STANDARDIZATION                     . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...6\n\n\n          INCENTIVES           AND B~RIERS                    . . . . . . . . . . . . . . . . . . . . . . . . . . ...7\n\n\n          COMPANION             TECHNOLOGIES                  . . . . . . . . . . . . . . . . . . . . . . . . . ...10\n\n\n          COHESIVE          STRATEGIC            SYSTEMPL~                    . . . . . . . . . . . . . . . . . . . . 12\n\n\n   POLICY IMPLEMENTATION                       . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...14\n\n\n          CONFIDENTIALITY                  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...14\n\n\n          INTERNAL         CONTROL               . . . . . . . . . . . . ., . . . . . . . . . . . . . . . . . ...15\n\n\n          AUDITS AND CERTIFICATION                           . . . . . . . . . . . . . . . . . . . . . . . . . ...16\n\n\n          CONTRACTOR              CONFLICT OF INTEREST                         . . . . . . . . . . . . . . . . . . . 19\n\n\n          VALID CONTRACTS                    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...20\n\n\n          LEGAL USE OF INFORMATION                            . . . . . . . . . . . . . . . . . . . . . . . . ...21\n\n\nCONCLUSIONS       . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...25\n\n\nAPPENDIX A - AGENCY COMMENTS                            . . . . . . . . . . . . . . . . . . . . . . . . . . . .. A-l\n\n\nAPPENDIX B - OIG RESPONSE TO AGENCY COMMENTS                                            . . . . . . . . . . . . . B-1\n\n\nAPPENDIX C - ACRONYMS USED IN THIS REPORT                                       . . . . . . . . . . . . . . . . . C-1\n\n\x0c                           INTRODUCTION\n\nPURPOSE\n\nThe purpose of this document is to (1) identify emerging issues in the expansion of the\nHealth Care Financing Administration\xe2\x80\x99s (HCFA) use of electronic data interchange\n(EDI) and related technology to achieve paperless processing, and (2) discuss the\nOffice of Inspector General\xe2\x80\x99s (OIG) plans to provide oversight of HCFAS strategy to\nimplement a paperless environmental We have developed it through a review of\nliterature and consultation within the OIG, and with HCFA and others.\n\n\nBACKGROUND\n\nElectronic Data Interchange is the electronic transfer of information, such as\nelectronic media claims, in a standard format between trading partners. As it relates\nto health care, this new technology will allow entities within the health care system,\nconnected by an integrated system of electronic communication networks, to exchange\nmedical, billing and other information and process transactions in a manner which is\nfast and cost effective. Most of these improvements are likely to result from the\nsignificant reduction or elimination of paper transactions.\n\n      Electronic Billing\n\n      The HCFA has encouraged electronic submission of claims under Medicare for\n      some time, and has recently stepped up its efforts to lead increased electronic\n      billing under the Medicaid program. New incentives for the use of electronic\n      billing are now in place. Providers submitting claims electronically are paid\n      faster than providers submitting paper claims. The HCFA also has taken steps\n      to move towards adoption of nationwide standardized electronic billing formats\n      for both Part A and Part B.\n\n\n\n\n    lThis document describes OIG projects which are either in progress or planned for\ncompletion by the end of FY 1995. These projects are subject to change depending\non our availability of resources, continuing review of priorities, and assessment of new\nresearch in the field.\n\x0c       Electronic Adjudication and Payment\n\n       All payers, including the Medicare and Medicaid programs, are moving towards\n       paperless billing and adjudication and payment of claims. HCFA plans to have\n       the Medicare Transaction System (MTS) in place by 1998. This system, which\n       will combine Part A and Part B of the Medicare program for the purposes of\n       claims submission, adjudication and payment, will replace the 14 software\n       processing programs used by the 48 fiscal intermediaries and 34 carriers that\n       currently process Medicare claims.\n\n       Furthermore, most of the health care reform bills now being considered include\n       provisions for simplification in the administration of health care benefits\n       through the use of standardized electronic billing and payment procedures.\n       Several of the reform bills also call for use of an electronically readable card to\n       be used to verify eligibility for benefits.\n\n      Beyond the Cliiims Environment\n\n       Other initiatives will also use technology to improve the health care information\n       system. The Computer-Based Patient Record Institute (CPRI) is the\n       organization that has been given the responsibility to initiate and coordinate all\n       activities which will establish the routine use of computer-based patient records\n       in all health care settings by the year 2001. Its mission is to support the\n       effective and efficient use of computer-based patient information and to foster\n       the computer-based patient record (CPR) as the primay vehicle for collecting\n       patient data.\n\nThese initiatives are important ones for the entire health care system, and for the\nMedicare and Medicaid programs in particular. They hold out the promise of more\nefficient administration of program benefits, faster claims processing, reduced\nadministrative costs and hassle for both providers and program administrators, and\nmore effective coordination of benefits and care for patients. Yet, they also hold risks,\nAs with any implementation of major new initiatives, thoughtful and careful planning is\nessential. Coordination among groups within and outside the Department of Health\nand Human Services must take place to avoid stumbling blocks. Goals, objectives and\ntimetables must be set. All tasks must work together to form a coherent strategy.\nNew vulnerabilities and problems which might be introduced by new systems and\nstrategies must be anticipated and overcome.\n\n\n\n\n                                             2\n\n\x0c                                     ISSUES\n\n\nMajor issues relating to HCFA\xe2\x80\x99S EDI and paperless processing initiatives can be\ngrouped into two major categories: (l)policy direction; and(2) policy\nimplementation, including trustworthiness and reliability of systems.\n\nPOLICY DIRECTION\n\nThe HCFAS far-reaching EDI and paperless processing initiative, in both the\nMedicare and Medicaid programs, contains many parts. Each of these parts is worthy\nof examination in its own right and as it relates to the larger strategy and goals of this\ninitiative. Among the significant elements of this strategy are the following:\n\n\xef\xbf\xbd\t     Systems--such as the Medicare Transaction System (MTS), Medicaid\n       Management Information Systems (MMIS), and point-of-service claims\n       management systems under Medicaid--to more efficiently process\n       electronically submitted claims and manage data.\nE      Standardization, to facilitate the electronic flow of claims, patient, and\n       reimbursement data between providers, payers, and quality-of-care reviewers.\nF      Incentives, to encourage providers to submit claims and patient data\n       electronically.\n\xef\xbf\xbd\t     Companion technolo~\xe2\x80\x9des, such as smart cards for computerized patient\n       identification and medical records, and national data communications networks\n       for transmission of health care data to complete the electronic cycle.\n\nWe also discuss the need for a cohesive strategic systems plan covering EDI and\npaperless processing, to encourage HCFA\xe2\x80\x99S information resources management\nprogram to address Medicare contractor systems and Federal Medicaid initiatives.\n\nSYSTEMS\n\nM2dicare ~ansaction $ystern (MIX)\n\nThe HCFAS 48 fiscal intermediaries and 34 carriers currently use 14 shared software\nsystems to process bilk and pay claims. Under MTS, HCFA plans to replace the\ncurrent Part A and Part B systems with one unified system. This new system will\nconsolidate the claims-processing function into anywhere from 1 to 10 contractors.\nCurrent contractors would continue to handle beneficiary inquires and payment\nsafeguard functions, and would input paper claims to electronic format before sending\nthem to the processing centers. The MTS is projected to be in place by 1998 and is\nexpected to make it easier for HCFA to make the system changes required to put new\nMedicare regulations and payment policies into effect. The MTS is also expected to\nmake it easier for providers to inquire about the status of their outstanding claims.\n\n\n                                             3\n\n\x0cThe HCFA feels that MTS is necessary to help control the rise in Medicare processing\ncosts since it projects a 50 percent increase in claims volume by 1997.\n\nRecently, HCFA awarded a $19 million, six-year contract for MTS design and\ndevelopment support services to GTE Government Systems Corporation. The\nGeneral Accounting Office (GAO) was asked by Congress to review the MTS\nprocurement. The GAO final report, transmitted to HHS on March 1, 1994,\nrecommended that the Secretary ensure continuous involvement in MTS by HCFA top\nmanagement, participation by Department information resources management officials\nand other experts, and reporting on progress and project status each January to\ncongressional appropriations and oversight committees.\n\nThe OIG has previously recommended that HCFA undertake a strategic planning\ninitiative to streamline, consolidate, and integrate Medicare claims processing. The\nHCFA has indicated that MTS addresses this recommendation.         Thus, OIG plans to\nreview?\xe2\x80\x99 the MTS systems design process, with particular emphasis on how HCFA\nplans to improve payment safeguards, provider accountability, internal systems\ncontrols, and financial management through implementation of the system. The\nresults of this review should clari~ issues raised by GAO and should be of use to\nHCFA as specifications are developed for the new MTS, particularly with respect to\nthe sufficiency of HCFA\xe2\x80\x99S safeguards designed to ensure proper payment.\n\nMedicaid Management Infomuition $wtems (MUIS)\n\nEach of the jurisdictions (State or territory) operating a Medicaid program is entitled\nto enhanced Federal financial participation for the development and operation of a\nMedicaid claims processing system--referred to by HCFA as a Medicaid Management\nInformation System--in accordance with minimum Federal standards. All but one of\nthe Medicaid jurisdictions have either implemented such a system or are in the process\nof doing so.\n\nA number of these systems have either been installed initially or have been replaced\nwithin the last 5 years. Many of these newer MMIS incorporate in their design\nfeatures (such as State-wide data communications networks) to facilitate electronic\nbilling, adjudication, and payment of Medicaid claims. And, a number of these\nsystems are integrated with State Family Assistance Management Information Systems\n(FAMIS) and State-wide data communications networks to facilitate EDI and\npaperless processing in both the Medicaid and Aid for Families with Dependent\nChildren programs.\n\n\n\n   \xe2\x80\x9c\xe2\x80\x99Review of Medicare Bill and Claim Processing:    Opportunities   for Long Term\nImprovement,\xe2\x80\x9d A-14-91-02532, August 1992.\n\n    3As P art of \xe2\x80\x9cElectronic Claims Processing - Medicare,\xe2\x80\x9d planned for completion at\nthe end of FY 1995.\n\n\n                                           4\n\x0cThe OIG plans to review recent State efforts to implement MMIS and integrated\nFAMIS/MMISto determine the adequacy of the planning process, the thoroughness of\nthe risk analysis, and the degree of success in meeting system goals.\n\nMedicaidPoi\n         ntofServt\xe2\x80\x9dce      (POS) Claims ManagementSystems\n\nThe OIG will review the States\xe2\x80\x99 use of MMIS data in conducting utilization review and\n\nanalysis as part of our planned work in assessing innovative approaches to Medicaid\n\nutilization review.\n\n\nPoint of Service claims management systems use computers and telecommunications\n\nnetworks to perform one or more of four related but distinct claims management\n\nfunctions. These are eligibility verification, claims submission, claims adjudication, and\n\nutilization review. POS systems allow all of these functions to be performed in a\n\nmatter of seconds, before or while the services are being dispensed. Most existing\n\nPOS systems are in the private sector and are used primarily for the management of\n\nprescription drug claims.\n\n\nThe Secretary of Health and Human Services (HHS), in response to requirements\n\nincluded on OBRA 1990 and in conjunction with the MMIS program, has encouraged\n\nState Medicaid programs to implement POS systems for managing prescription drug\n\nclaims. The Federal Government provides up to 90 percent Federal financial\n\nparticipation for the development of these systems and has authorized the Secreta~ to\n\nwaive certain paperwork requirements.\n\n\nThe OIG has performed a study of Medicaid POS systems.4 In this study, the OIG\n\nfound that POS systems, in the two States that have used them, have saved money and\n\nhave enhanced program administration. It also found that few States plan to acquire\n\nPOS systems. This is due primarily to the barriers that have limited States\xe2\x80\x99\n\nimplementation of POS systems and the inadequate and confusing information that\n\nmany States have received about POS systems. We plan to examine these issues\n\nfurther in our upcoming MMIS review and to conduct a further study of States\xe2\x80\x99\n\nimplementation of the drug utilization review (DUR) requirements of OBRA 1990.\n\n\nSince the OIG study on Medicaid POS systems, 8 State Medicaid agencies (SMA)\n\nhave reported implementation systems for pharmacies (including 6 systems with\n\nutilization review capability). Ten additional SMAS indicated that they were\n\ndeveloping POS modules for implementation by the end of calendar year 1993, and 21\n\nof the remaining 33 SMAS noted that they were considering the development and\n\nimplementation of POS modules for completion by late 1994.\n\n\n\n\n\n   4 \xe2\x80\x9cPoint-Of-Service Claims Management         Systems For Medicaid,\xe2\x80\x9d OEI-01-91-00820,\nMay 1992.\n\n\n                                             5\n\x0cSTANDARDIZATION\n\nWhen encouraging the development anduseof anynew emerging technology, the\nestablishment of standards becomes a critical issue which can \xe2\x80\x9cmake or break\xe2\x80\x9d the\ntechnology. Take the example, from a few years ago, of quad-stereo. The fate of this\nsuperior sound technology was in the hands of a few manufacturers who could not\nagree on a standardized equipment format. Because of the lack of standardization, the\ntechnology never made the market penetration it was expected to achieve. While\nEDI, unlike quad-stereo, is here to stay, the fate of its universal acceptance does lie in\nthe hands of those groups which are in the position to mandate equipment and\nsoftware standards.\n\nCurrently, there is no national group which is responsible for the establishment of a\nuniform data set and uniform data element definitions with respect to health care\ntransactions. Informational standard setting organizations, such as the National\nUniform Billing Committee and the Uniform Claim Form Task Force, have not been\ngiven a clear role in defining data element definitions and reporting requirements.\nAlso, compliance with the recommendations made by these groups is generally\nvoluntary. There is an additional problem caused by the lack of coordination between\nthe groups that develop the electronic formats (e.g. the American National Standards\nInstitute or ANSI) and the standard setting groups. The standard setting groups are\nnot always allowed to review the new EDI transaction data sets developed by ANSI\nand others.\n\nThe Federal Government has the opportunity to take the lead in encouraging (if\nnecessary mandating) and guiding the development of EDI standards. But, if EDI is\nto be standardized throughout the entire health care community, the Federal\nGovernment must be prepared to modify substantially, if necessary, the current\nsystems utilized by Medicare, State Medicaid programs, the Department of Veteran\nAffairs, Civilian Health and Medical Program of the Uniform Services (CHAMPUS),\nand the Indian Health Service.\n\nIn the previous administration, Secretary Sullivan of HHS established the Workgroup\nfor Electronic Data Interchange (WEDI) to work with the insurance industry on\nstandardizing electronic billing, remittance advice and banking formats, and moving\ntowards an all-electronic environment for processing of health insurance claims in the\npublic and private sectors. The impetus for this effort was a generally-accepted\npremise that costs of administering Medicare, Medicaid, and private health insurance\nplans and the paperwork burden imposed on providers by the insurance industry are\ninordinately high without significantly constraining health care costs.\n\nUnder this effort, some progress in standardization was made. The HCFA began\nactive participation in the ANSI committee establishing standardized electronic\nformats for the health insurance industry. The HCFA then issued regulations calling\nfor the use of ANSI standard transactions for electronic remittance notices and\n\n\n                                            6\n\n\x0cpayments by both the Medicare and Medicaid programs. The HCFA is planning to\nimplement a standard uniform institutional billing form for Medicare and Medicaid\nover the next year. Legislation, which would have empowered national standards\norganizations to establish mandatory standards for electronic submission and payment\nof claims, facilitated establishment of a national telecommunications network for\nhealth care administrative data, and promoted the clearinghouse concept to improve\nthe coordination of benefits between various public and private payers, was not passed\nin the last session of Congress. However, the Clinton Administration has recognized\nthe importance of standards and integrated health information systems and\ncommunications networks as a way to promote administrative simplification in health\ncare. It has included establishment of such standards and networks under the auspices\nof a National Health Board as part of its health care reform proposal.\n\nWe plan to track and analyze progress by the Department and HCFA in fostering\nstandardization as part of our ongoing assessment of HCFA\xe2\x80\x99S ability to move to\npaperless processing in the age of EDI and electronic commerce.\n\nINCENTIVES      AND BARRIERS\n\n?%ehxfidkm\xe2\x80\x99    Pmpective\n\nAn obvious obstacle to getting providers to \xe2\x80\x9cbuy into\xe2\x80\x9d an EDI and paperless\n\nprocessing system is simply the resistance to change to a new method of doing\n\nbusiness. Then there are more substantiated reasons for not wanting to use EDI and\n\npaperless processing. One example is that some provider types, especially DME\n\nsuppliers, have refrained from using EDI and paperless processing because there are\n\nno electronic methods for submitting attachments. Another reason for not using EDI\n\nis the lack of standard data sets. This forces many providers to adopt an electronic\n\nformat which is compatible with the payer to whom the provider submits the majority\n\nof their bills. Finally, there are the additional costs incurred by a provider who wishes\n\nto convert to EDI and paperless processing.\n\n\nIssues which may need to be addressed include:\n\n\nb\t     What education programs can be put in place to help overcome provider\n       resistance to change?\n\nb      Should HCFA create EDI and paperless processing benefit models based on\n       provider size, geographic location, and patient mix, in order show providers\n       how the benefits of EDI and paperless processing relate to them?\n\n\xef\xbf\xbd\t     What incentives are needed to bring providers into the EDI and paperless\n       processing environment? What about tax incentives, low or no-cost software, or\n       the elimination of the Medicare floor used to pay claims?\n\n\n\n\n                                            7\n\n\x0c\xef\xbf\xbd\t    What needs to be done to ensure that providers adopt a uniform EDI and\n      paperless processing environment?\n\nThe HCFA Bureau of Program Operations (BPO) is currently studying those\nattachments to bills, such as Certificate of Medical Necessity (CMN) forms, that can\nbe standardized, automated or eliminated. The BPO is also enlisting the support of\nnational provider organizations and has developed a publicity campaign to promote\nthe adoption of EDI technology. The BPO has two point-of-service pilot projects\nunderway and has evaluated a number of innovative proposals for EDI and paperless\nprocessing projects.\n\nProviders who decide to implement new EDI and paperless processing technology will\nbe faced with incurring four types of costs. These costs are for hardware, software\npurchasing or leasing, installation and training, and telecommunication charges. Since\nmost of these costs are relatively fixed (they exist whether the provider submits one\nclaim, one hundred claims, or one million claims) and the gross savings accrue on a\nper claim or electronic transaction basis (the more claims or electronic transactions\nthe more savings), overcoming these fixed costs is the principal factor that prevents\nlow-volume providers from acquiring EDI and paperless processing technology. This\nproblem is compounded by the fact that a significant number of small providers,\nespecially rural providers, lack computerized offices. For these providers, investing in\nthe required costs listed above would probably not be cost effective.\n\nIssues with regard to small providers include the following:\n\n\xef\xbf\xbd\t     Will small providers, especially rural providers with small Medicare patient\n       loads, be required to invest in EDI and paperless processing technology?\n\n\xef\xbf\xbd\t     What are the costs associated with conversion, installation, and maintenance of\n       these systems and can small providers justify these costs? Can small providers\n       pool operational costs?\n\nF      What alternatives exist for small providers?\n\nThe HCFA BPO is currently taking inventory of all of the low cost software that\nMedicare contractors are required to make available to providers. The HCFA\nRegional Offices will then determine contractor compliance. The BPO is also in the\nprocess of evaluating a number of pilot projects which are using emerging technologies\nin the payment area. Some of these, one example being fax imaging technology, may\nbe feasible for small providers to use as a cost effective substitute for a complete EDI\nand paperless processing system.\n\nThe OIG plans to assess how different providers can be brought into the EDI and\npaperless processing environment, what barriers exist for providers, and whether\nHCFA\xe2\x80\x99S efforts address those barriers and provide proper incentives for providers.\n\n\n\n                                            8\xef\xbf\xbd\n\x0cl%e HCFAk Peiqxctive\n\nFor the short term, some of the key issues of concern to the OIG are as follows:\n\n\xef\xbf\xbd\t     What changes have been made in Medicare claims processing as a result of the\n       implementation of Medicare national claims formats and electronic funds\n       transfer (EFT)?\n\nF\t     Have these changes been implemented      successfully, i.e., is there a probability of\n       payment errors or fraud?\n\nThe HCFA has identified increased electronic media claims (EMC) and EFT as the\nprimary means for effecting short term reductions in Medicare claims-processing unit\ncosts.s And, by the end of Fiscal Year 1993, HCFA will have invested over\n$21 million in EMC/EFT improvements at the Medicare contractors.\n\nThe HCFA as established the following goals for EMC:\n\nF\t     Increase the rate of EMC to 100 percent for hospitals and 75 percent for all\n       other providers within 3 years.\n\nF\t     Increase the rate of EFT for Medicare payment to hospitals to 100 percent\n       within 3 years.\n\nF      Increase the overall cost effectiveness of EMC.\n\nThese are challenging goals, and we are concerned that, with limited resources and\nmany other operational issues that had to be dealt with at the same time, HCFA\xe2\x80\x99S\nplanning and execution to reach these goals may not have been adequate. To address\nthese concerns, we have initiated a reviewG during which we will determine if HCFA:\n\nF\t     Adequately assessed benefits and costs. (The HCFA believes that it will realize\n       significant cost savings from full EFT implementation.)\n\n\n\n\n     \xe2\x80\x98Based on experience of the health insurance industry as a whole, HCFA believes\nthat it is $0.50 per claim cheaper to process an electronically submitted claim than a\nhard-copy claim. This difference results primarily from data entry of hard-copy claims\ninto electronic claims processing systems.\n        The HCFA believes that even more savings may accrue from EFT and\nelectronic notice of remittance, rather than payment by check and paper remittance\nadvice. These savings result primarily from reduced mail room and postage costs.\n\n     \xe2\x80\x9c\xe2\x80\x99Electronic Claims Processing - Medicare,\xe2\x80\x9d which is currently in the survey phase.\n\n\n                                            9\n\x0cF\t    Adequately assessed potential risks and vulnerabilities inherent in EMC, EIW,\n      and paperless processing. (For example, HCFA does not believe that benefit\n      payments made under EFT will be vulnerable to errors and/or fraud because\n      the involved EFT parties of the contractors, Medicare banks, and the\n      Automated Clearing House operators are bound by strict operating guidelines\n      and Federal regulations concerning the initiation, transmission, and receipt of\n      EFTs.)\n\n\xef\xbf\xbd\t    Provided adequate instructions, lead time, and resources to the Medicare\n      contractors. (The HCFA has been providing technical specifications,\n      procedural guidance, and appropriate funding since 1990.)\n\nF\t    Sufficiently track progress during implementation in a timely and effective\n      manner to identify problems and resolve them. (The HCFA believes that it has\n      been diligent in tracking the progress of contractors, providers, and SMAS in\n      implementing EFT.)\n\nWe will also determine the degree of success that the Medicare contractors are having\nin implementing the changes called for, and reaching the EMC~FT targets set by,\nHCFA.\n\nCOMPANION TECHNOLOGIES\n\nSmart Cards\n\nSmart cards are wallet-sized, machine-readable cards that contain an integrated chip\n(its own computer) which can store an individual\xe2\x80\x99s medical history and other forms of\ndata. In its simplest form these cards allow access to a health care plan database.\nThe health care industry continues to rely on identification cards to recognize plan\nmembers. Because of their extensive use, cards in one form or another are here to\nstay. As these identification cards become more sophisticated and become smart\ncards, the OIG should be concerned about two main issues. These issues are the cost\nof the cards and standardization.\n\nThe cost of machine-readable cards (equipment and installation) and the necessary\ninfrastructure (training) to support the cards are certainly major drawbacks to a smart\ncard system. A smart card system according to WEDI could cost hundreds of millions\nof dollars. Should smart cards be used when the less expensive magnetic strip or\nswipe card (credit card or ATM model) may contain all the information required?\n\nSmart cards must contain a standard set of information. The issue is the amount of\ninformation required. In order to allow for an efficient electronic access to\ninformation, and the transfer of information between payers and providers, at a\nminimum this information must be able to identify the payor and the plan member.\nThe decision must also be made as to the amount of patient clinical information that\nshould be put on the smart card. Should patients be required to carry data bases\n\n\n                                           10\n\n\x0caround in their pockets when central computer and communication        networks are a\ncapable alternative?\n\nCurrently, there are several ongoing experiments on the application of card technology\nfor the health care industry. The States of New York and Massachusetts use the\nmagnetic strip card with an on-line communications network to monitor eligibility and\nutilization for their Medicaid populations. Smart cards are being used to monitor Aid\nto Families with Dependent Children, food stamp, and Medicaid populations in\nvarious States.\n\nEven though WEDI does not recommend the use of the smart cards because of its\nexpense, we still recommend that HCFA look at smart cards (e.g. for use in verifying\nelectronic signatures) and that HCFA study the results of the above experiments, and\nreview the experience of States that have used various types of cards in the design of\nMTS and the implementation of the computerized patient record.\n\nComputerized Patient Records\n\nIn order to be able to make informed health care decisions, policy decisions as well as\nclinical, the U.S. health care system needs better access to the information contain in\npatient records. This information, now contained in paper-based systems, is often\nfragmented, irretrievable, and illegible. The Institute of Medicine (IOM), after\nstudying this issue for 18 months, has recommended that patient records be computer\nbased. In addition, the IOM has endorsed the establishment of a private/public\ninitiative which is to now called the CPRI. The CPRI, formed during the summer of\n1991, will be responsible for the initiation and coordination of all work that will\neventually establish the routine use of CPRS in all U.S. health care settings. The\nCPRI has formed five committees, and these committees will perform much of the\nwork which is yet to be done.\n\nHHS involvement in this area to date has consisted primarily of the establishment of\nan HHS computerized Patient Records Council to promote and coordinate various\nDepartmental activities; partial funding of the American National Standards Institute\xe2\x80\x99s\nHealth Informatics Planning Panel; participation in the deliberations leading to the\nformation of the CPRI; participation in the American Hospital Association\xe2\x80\x99s\nWorkgroup on Computerization of Patient Records and the WEDI; and the\nestablishment of the HCFA Electronic Environment Steering Committee.\n\nBecause the establishment   of the use of CPRS is still in its conceptual phase, various\nissues face the OIG:\n\n\xef\xbf\xbd\t     What are the benefits and the costs of the computerized patient record? The\n       OIG should determine if a proper cost/benefit analysis has been performed to\n       ensure, as best as possible, that CPRS will not only be useful and accessible, but\n       also not so prohibitive that providers will not be able to afford their installation.\n\n\n\n                                             11\n\n\x0cF\t    What is required to guide the development of electronic clinical information or\n      CPRS? What is needed to insure a uniform standard data set, definitions, and\n      format? What needs to be included in patient records and which models of\n      CPRS should be adapted? Will HCFA rely entirely on the CPRI to develop\n      the standards? The OIG should be concerned that the Department have a\n      place in the CPRI and that the Department give input at the early stages of the\n      development of the CPR.\n\nLeadership by HHS in the area of CPRS is particularly important because of the\nimplications for:\n\n\xef\xbf\xbd\t    The Peer Review Organization (PRO) and SuperPRO activities relating to\n      hospital utilization in Medicare.\n\n\xef\xbf\xbd     Utilization review activities of Medicare carriers.\n\n\xef\xbf\xbd     Utilization review activities of the States in their MMIS.\n\nF\t    Provider level interface with future health information systems at the State and\n      Federal level.\n\nIn the future, the OIG will monitor the results from the work that is being performed\n\nby the five committees. In the mean time, we plan to address the issue of\n\ncomputerized patient records in the context of our ongoing review of MTS, upcoming\n\nreview of MMIS, and a planned review of internal systems controls at the PROS.\n\n\nTHE NEED FOR A COHESIVE STRATEGIC SYSTEMS PLAN COVERING EDI\n\n\nIn a prior report7, we indicated that Medicare contractor systems and Federal\n\nMedicaid data initiatives were not being addressed in HCFA\xe2\x80\x99S information resources\n\nmanagement (IRM) program; HCFA had not sufficiently assigned duties to, or assured\n\nthe independence of, its Principal IRM Official; and the Department had not\n\nsufficiently monitored HCFA\xe2\x80\x99S IRM activities. Furthermore, neither we nor GAO\n\nhave been able to discern any comprehensive strategy on HCFAS part related to how\n\nMedicare and Medicaid will move into an all-electronic environment.\n\n\n\n\n\n    7\xe2\x80\x9cReview of the Health Care Financing Administration\xe2\x80\x99s Implementation of the\nProject to Redesign Information Systems Management,\xe2\x80\x9d A-14-91-02533. At that time,\nHCFA had elected to move forward with a strategic planning initiative to streamline,\nconsolidate, and integrate Medicare and Medicaid claims processing, including EDI.\nThis initiative had critical goals and objectives to standardize systems, provide\nappropriate incentives, and utilize companion technologies.\n\n\n                                            12\n\x0cMeanwhile, however, private sector initiatives in the area of EDI standards and\ninvestment in private sector EDI networks and systems continues at an accelerating\npace. These efforts are, in large measure, being driven by the Blue Cross/Blue Shield\nAssociation and its member plans, large commercial insurance companies, and\ncommercial clearinghouses and data processors. Each of these parties is pursuing an\nEDI strategy based primarily on business concerns, and particularly market share. At\nthe same time, numerous legislative proposals are being offered in conjunction with\nhealth care reform that would dramatically affect how EDI for health insurance\ninformation would be structured and operate in the future.\n\nWithout a viable Departmental    strategy for channeling future EDI developments, we\nare concerned that:\n\n\xef\xbf\xbd\t    Medicare and Medicaid may not be able to make the most effective use of\n      emerging EDI technology.\n\n\xef\xbf\xbd\t    The proliferation   of EDI systems in the public and private sectors may\n      accelerate.\n\n\xef\xbf\xbd\t    Reductions in administrative costs per claim may not be achieved to the degree\n      now anticipated. And, issues similar to that of conflict of interest now faced in\n      dealing with Medicare and Medicaid secondary payer issues will remain\n      unresolved.\n\nWe plan to address some of these issues in our ongoing review of MTS and related\nHCFA EDI initiatives. And, we plan to re-examine the efficacy of HCFAS strategic\nsystems planning process as one of a series of reviews of HCFA\xe2\x80\x99S IRM programs\n\n\n\n\n    8\xe2\x80\x9cReview of General Systems Controls at HCFA - Phase I\xe2\x80\x9c planned for completion\nby the end of FY 1995.\n\n\n                                           13\n\x0cPOLICY IMPLEMEhYATION\n\nThe implementation of new EDI and paperless processing systems, in particular,\ncarries with it questions regarding trustworthiness and reliability of data as they moves\nfrom one partner in electronic commerce to another and from one process to another.\n\nSpecific questions raised with regard to electronic submission and processing of claims\ninclude:\n\nF      Confidentiality and privacy of patient records.\n\nF      Internal controls.\n\n\xef\xbf\xbd     Audits and certification.\n\nF      Contractor conflict of interest.\n\nF      Valid contracts.\n\n\xef\xbf\xbd\t     Legal use of information submitted, stored and processed by new systems,\n       including provider agreements, chain of custody, attestation and originator\n       authentication, and the need for paper trails.\n\nCONFIDENTIALITY             AND PRIVACY OF PATIENT RECORDS\n\nAny EDI and paperless processing system will need to ensure that the confidentiality\nof personally identifiable health insurance data be strictly maintained and the privacy\nof patients be maintained. This area is made complex because traditionally the legal\nrequirements covering privacy have been addressed on the State level with each State\nbeing unique. This is further complicated because providers and payers are subject to\ndifferent sets of rules, with additional variation among types of providers.\n\nThe obligation that a provider must maintain the confidentiality of a patient\xe2\x80\x99s health\ninsurance data is defined by statue, common law, and professional ethics. It is the\nsame whether the transmission and storage of this data is paper or electronic. The\nvery reason that providers changed from the more cumbersome paper records to the\nmore efficient EDI and paperless processing systems is the same reason that makes\nthese systems more vulnerable. While EDI and paperless processing allows for more\nsophisticated security protocols, once these protocols are breached, it allows for a very\nefficient method of conducting an unauthorized transmission and review of\nconfidential health insurance data.\n\nBecause payers are required to release health insurance data to various sources,\nespecially medical information, they must follow many conflicting legal requirements\ncovering disclosure. This disclosure may be for claims adjudication and payment,\n\n\n                                             14\n\x0cresearch, third party administration and utilization review, and audits. EDI and\npaperless processing must allow for these myriad of disclosures while protecting the\nprivacy of the patients.\n\nTwo issues before HCFA in the areas of confidentiality and privacy are:\n\n\xef\xbf\xbd\t     What is required to ensure that all electronic health information remains at the\n       required level of confidentiality?\n\nF\t     Have standards been established and have these standards been incorporated\n       into legislation and systems development?\n\nAlthough HCFA feels that the system security technology available at this time is\nmore than adequate, we have little information to prove that this will be true into the\nfuture. The Privacy Act of 1974, 5 U.S.C. Section 552a, is the primary provision\ngoverning HCFA on the release of confidential health insurance data. On the\nprovider side, the American Medical Association\xe2\x80\x99s Principles of Medical Ethics\nrequires that physicians safeguard confidential patient information within the\nconstraints of the law.\n\nConfidentiality and the Privacy Act will be areas that HCFA must address in the\nconcept development and design phases of MTS and other EDI and paperless\nprocessing systems. We will be looking at HCFA\xe2\x80\x99S treatment of the issues of privacy\nand confidentiality as part of our ongoing reviews of EMC/EFT implementation and\nMTS and in our future reviews of MMIS and PRO systems internal controls.\n\nINTERNAL     CONTROLS\n\nSection 2 of the Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA), among other\nthings, addresses the adequacy of management controls over operations and specific\nrequirements for controls to safeguard assets against waste, fraud, and abuse. The\nOMB Circular A-123, \xe2\x80\x9cInternal Control Systems,\xe2\x80\x9d prescribes policies and standards for\nexecutive departments to implement Section 2 of the FMFIA by setting up,\nmaintaining, testing, improving, and reporting on internal controls in their program\nand administrative activities. Also, each agency is required to report any material\nweaknesses in the agency\xe2\x80\x99s systems of internal controls and the planned actions for\ncorrecting such weaknesses.\n\nWe have had concerns with HCFAS application of FMFIA with respect to Medicare\ncontractors because it has not performed reviews sufficient to assure itself that the\nMedicare contractors have adequate internal control systems. Our position has been\nand continues to be that we are concerned with the lack of review of contractor\ncontrols under the FMFIA and in the future this could impact on the positive\nassurance with respect to FMFIA that HCFA is expressing to the Secretary of HHS.\nFurthermore, various Medicare contractors have previously taken the position that\ntheir EMC departments are proprietary and should not be the subject of audits.\n\n\n                                           15\n\x0cThe HCFA acknowledges that the adequacy of HCFA\xe2\x80\x99S management controls over\noperations is an ongoing issue between HCFA and OIG and is the subject of extensive\nreviews by OIG. We believe that this issue exists due to HCFA and OIG having\ndifferent philosophy and ways of performing internal control reviews. However,\nHCFA is aware of the importance of internal controls and evaluation activities in the\narea of EDI and welcomes the OIG\xe2\x80\x99S additional thoughts or recommendations that\nwould strengthen its operations.   Furthermore, HCFA is currently developing a plan\nto review the internal controls and systems of contractors for compliance with the\nFMFIA. Because these reviews have not taken place, it is unknown whether adequate\ncontrols do exist. Absent reviews of internal controls, no material internal control\nweaknesses have yet been reported. Consequently, the degree of trustworthiness and\nreliability of Medicare contractor systems in general, and especially their EMC/EFT\nsystems, is a significant concern.\n\nDuring the course of our ongoing review of HCFA\xe2\x80\x99S implementation to date of EMC\nand EFT in Medicare, we will evaluate the sufficiency of internal controls over\nMedicare EMC/EFT processing. Our objective is to determine the level of reliability\nof claims data and accountability of providers. We will obtain and analyze all Federal\npolicy requirements relating to HCFAS application controls over Medicare electronic\nbilling and payment. We will identify any deviations between HCFA\xe2\x80\x99S current set of\ncontrols and these Federal requirements. And, we will develop and analyze an\napplications controls matrix to identi~ high risk areas. Then, we will use the results of\nthis analysis to determine if HCFA has noted any deficiencies and taken action to\naddress them.\n\nAUDITS AND CERTIFICATION\n\nIn the past, most audit interest has been focused on the main line processing systems\nat the Medicare contractors where most of the claims were received in paper form,\nkeyed into electronic formats, edited, and processed through payment. With Medicare\nEMC being used for claims submission of an ever increasing percentage of claims and\nwith increased use of EFT and electronic remittance notices (ERN) for payment,\ngreater focus must be placed on systems at the provider level. Also, intermediaries\nand carriers typically use the same departments for Medicare EMC/EFT/ERN as they\ndo for support of their \xe2\x80\x9cprivate side\xe2\x80\x9d operations. While these departments may not\nhave been the focus of prior audit work because of the proprietary nature of their\nactivities, they must be included in future work because their activities are integral to\nMedicare claims processing.\n\n\n\n\n                                            16\n\n\x0cContractor Audi&\n\nThe Medicare contractors are responsible for assuring that claims submitted from\nproviders areaccurate and justified. This responsibility extends to insuring that\nprovider-based systems used to submit claims electronically operate in a manner\nconsistent with HCFA policies and instructions and in accordance with any additional\nrequirements established by the servicing Medicare contractor.\n\nIn the claims processing market today, there are a variety of provider-based systems\nand external clearinghouses that may be used for EMC. Installation and operation of\nthese systems at the provider level, however, is the responsibility of the individual\nprovider. To fulfill their responsibilities, therefore, Medicare contractors need to\nensure that provider-based systems not only operate as intended, but also are\ngoverned by sufficient internal controls to assure adequate system and data security,\nsystem backup, and availability of supporting documentation.\n\nBecause of the large number of low-volume Medicare providers (e.g., individual\nphysician practices), the wide range of systems that providers may use and the variety\nof environments in which the providers operate these systems, the resources needed by\nthe Medicare contractors to audit provider-based EDI and paperless processing\nsystems on a 100 percent basis are likely to be prohibitive. Furthermore, our ongoing\nreviews of Medicare contractors suggest that funding for basic payment safeguard\nactivities is so limited that the adequacy of selective audits of provider systems by their\nservicing Medicare contractors is problematic.\n\nOur primary concern, therefore, is the appropriateness of the criteria used by the\nMedicare contractors to select specific provider systems for audit and how well such\naudits are coordinated with other contractor activities requiring on-site reviews at\nprovider locations.\n\nThis issue is not being addressed specifically as an objective in our ongoing review of\nEMC/EFT implementation in Medicare. Rather, it will be addressed in the context of\nthe compliance by the Medicare contractors with HCFAS requirements affecting\nEMC/EFT in the areas of\n\nF      The solicitation and maintenance   of provider attestations and certifications.\n\nF\t     The issuance of instructions to providers on record keeping in support of claims\n       submitted.\n\nF      The establishment   and maintenance    of Medicare fraud and abuse programs.\n\n\n\n\n                                             17\n\n\x0cInterim Certification\n\nAs noted above, the resource requirements to audit provider-based systems are likely\nto be so substantial that any audits of these systems by the Medicare contractors is\nproblematic. The issue of systems certification, therefore, increases in importance.\n\nSystems certification is recognized in HCFA\xe2\x80\x99S EMC strategy as a tool for providing\nsome assurance that electronic billing systems used by providers meet basic industry\nand government standards. The HCFA has already established a two-tier list of\nsources for EMC packages: one list for sources meeting basic requirements; the\nother, a \xe2\x80\x9cselect\xe2\x80\x9d list meeting more stringent requirements. There is no requirement,\nhowever, that providers use only those sources on the \xe2\x80\x9cselected\xe2\x80\x9d list.\n\nFurthermore, many providers use external billing services and/or claims clearinghouses,\neither in conjunction with, or instead of, provider-based EDI and paperless processing\nsystems. The HCFA does not appear to have addressed how such sources should be\ncertified, either individually or in conjunction with any systems which the providers\nmay use in conjunction with them.\n\nAs part of our ongoing review, we will obtain and analyze sufficient information to\ndetermine whether the maintainers and operators of EMC/EFT systems used in\nMedicare are in compliance with HCFAS requirements for systems certifications and\ntesting.\n\nBogram Safeguarh\n\nAs Peter Weiss, a governmental expert on EDI, noted in a recent paper,9\ntrustworthiness and reliability of EDI systems are criteria critical to ensuring the\nsuitability of electronic data as evidence in a court of law. Also, conformance with\nFederal requirements for systems security (including the Computer Security Act,\nPrivacy Act, and OMB Circular A-130 systems security requirements) with respect to\ndata and access security is essential if EDI systems are to be certified as \xe2\x80\x9ctrustworthy\nand reliable.\xe2\x80\x9d\n\nThis issue is being addressed as a specific objective of our ongoing review of\nEMC/EFT in Medicare. We will determine whether the EMC/EFT systems\nmaintainers and operators are in compliance with HCFAS requirements in the areas\nof access and data security as well as the system. We will also review HCFAS\nrequirements for, and contractor\xe2\x80\x99s compliance with procedures to identi& those who\n\n\n\n     9 \xe2\x80\x9cSecurity Requirements and Evidentiary Issues in the Interchange of Electronic\nDocuments: Steps Toward Developing a Security Policy\xe2\x80\x9d presented at the Workshop\non Security Procedures for the Interchange of Electronic Documents, National\nInstitute of Standards and Technology, November 12-13, 1992.\n\n\n                                            18\n\x0cinput data, as well as those who use the data. We will likewise determine if HCFA\xe2\x80\x99S\nrequirements are adequate and are being complied with for periodic certifications and\nmaintenance of a chain of custody as the data move from user to user are adequate.\n\nCompliance w\xe2\x80\x9cth C&u.lar A-127\n\nThe OMB Circular A-127 addresses compliance with Section 4 of the FMFIA and\nincludes requirements for reviews of systems which collect, process, and use financial\ndata. Recently, this circular has assumed greater importance because it is one of the\nprimary sources of criteria for determining whether an agency\xe2\x80\x99s financial systems can\nprovide reliable data for use in preparation of financial statements, as called for under\nthe Chief Financial Officer\xe2\x80\x99s Act.\n\nIn Medicare, among the data most critical to financial management are claims and\nclaims payments; however, HCFA, to date, has not included Medicare contractor\nsystems in the scope of their financial systems reviews program because these systems\ndo not feed data directly into HCFA\xe2\x80\x99S general ledger accounts. Thus, the extent of\ncompliance of EMC/EFT systems at the Medicare contractors and EDI and paperless\nprocessing systems at participating providers with the criteria for reliability of financial\ndata established under A-127 is uncertain, at best.\n\nThis issue is being covered in part by our ongoing review of MTS and related EDI and\npaperless processing initiatives. This review will address whether the HCFA has an\noverall strategic plan for the development and implementation of the proposed MTS\nand the migration to increased use of EDI and paperless processing. And, if HCFA\ndoes have such a strategy, we will determine the degree to which this strategy is based\non analyses called for under OMB Circular A-127 (financial management), as well as\nunder OMB Circular A-123 (internal controls) and A-130 (IRM/systems security).\n\nCONTRACTOR CONFLICI\xe2\x80\x99 OF INTEREST\n\nThe HCFA and the OIG have become aware of allegations that certain contractors\nrefuse to cooperate with some billing services which wish to submit Medicare claims\nelectronically. The HCFA has forwarded instructions to the contractors requiring that\nthird party software be made available to the providers. Compliance with these\ninstructions still needs to be tested.\n\nEven though this area was studied in an OIG Management          Advisory Report dated\nJuly 1992, the following issues will need further review:\n\n\xef\xbf\xbd\t     Are Medicare contractors selling EDI and paperless processing systems\n       (hardware and software) with an unfair competitive advantage and therefore in\n       violation of antitrust law?\n\n\n\n\n                                             19\n\n\x0cF\t     Is there a conflict of interest with the contractor marketing EDI and paperless\n       processing systems to providers and then being requiredto audit and look for\n       problems in these systems?\n\nThe OIG has performed alimited reviewof four Medicare contractors (three\n\nintermediaries and one carrier).l\xe2\x80\x9d This review found that the four contractors\n\nappearedto comply with the requirements of Transmittal 1507 regarding the\n\ntimeliness with which contractors fill requests for lists of edits. It found that the three\n\nintermediaries refused to accept direct computer-to-computer       EMC submissions for\n\ntheir private line of business unless the provider uses their subsidiary\xe2\x80\x99s software for the\n\ntransaction. Finally, it found that the practice of requiring billing services and health\n\ncare providers to use the contractors\xe2\x80\x99 for-profit subsidiaries may violate Federal\n\nantitrust laws.\n\n\nBecause the growth in the use of EDI and paperless processing, its emergence as a\n\nmajor issue in health care reform, and the involvement of Medicare contractors in\n\nproprietary market-driven ventures, the OIG needs to pursue the conflict-of-interest\n\nissue. We will address Medicare contractor compliance with HCFA\xe2\x80\x99S current EMC\n\ninstructions as part of our ongoing review of EMC/EFT implementation in the\n\nMedicare program. We plan to address the longer term issue of contractor conflict of\n\ninterest in our review of MTS and related EDI and paperless processing initiatives,\n\nand as part of our continuing work in the area of Medicare secondary payer,\n\n\nVALID CONTRACT\xe2\x80\x99S\n\n\nIn order to be able to create valid contracts under EDI systems, payers (including\n\nHCFA) and providers must recognize that information that is created, transmitted, or\n\nstored in electronic form does satis~ the legal requirements regarding a written\n\nsignature the same as information that is recorded on paper. But, they must also\n\nrecognize that appropriate security techniques, practices and procedures must\n\nincorporated into EDI systems before electronic contracts can be considered valid.\n\n\nThe GAO has addressed this issue in their December 13, 1991 decision memorandum,\n\n\xe2\x80\x9cNational Institute of Standards and Technology -- Use of Electronic Interchange\n\nTechnology to Create Valid Obligations.\xe2\x80\x9d The GAO prepared this memo in response\n\nto a request by the Computer Systems Laboratory, National Institute of Standards and\n\nTechnology (NIST). The NIST asked GAO if Federal agencies can use EDI\n\ntechnologies, such as message authentication codes and digital signatures, to create\n\nvalid contracts consistent with 31 U.S.C. Section 1501. Section 1501 establishes the\n\ncriteria for recording obligations against the government. The GAO concluded that\n\ngovernment agencies can create valid obligations by using EDI systems which meet\n\nNIST standards for security and privacy.\n\n\n\n\n    10Management Advisory Report, \xe2\x80\x9cElectronic Media Claims and Contractors\xe2\x80\x99 For\nProfit Subsidiaries,\xe2\x80\x9d OEI-12-91-O141O, July 1992.\n\n\n                                            20\n\x0cA remaining question in this area is whether EDI systems being used by the Medicare\n\ncontractors and the providers meet the NIST standards for security and privacy. We\n\nwill determine the degree of compliance of current and planned Medicare\n\nrequirements with NIST standards as part of our ongoing reviews of EMC/EFT and of\n\nMTS and related EDI initiatives.\n\n\nLEGAL USE OF INFORMATION SUBMITI\xe2\x80\x99ED\n\n\nl+ovider Agreernen&\n\nThe integrity of the Medicare and Medicaid programs depend upon monitoring the\nsubmission of claims and ensuring provider accountability. Consequently, this issue\naffects OIG investigations and prosecutions of suspected fraudulent or abusive\nproviders. Clear and uniformly enforceable provider agreements are necessary in\norder to hold providers personally responsible for every claim submitted and to\nprovide sufficient evidence for prosecution of fraud.\n\nTwo recent court cases provide evidence that provider agreements may well become\nan issue in future court proceedings. In United States v. Mostaan, the defense\nclaimed that the computerized claims lacked proper certification that the provider\nsubmitted claims only for services actually rendered by provider or an employee under\nthe provider\xe2\x80\x99s supervision. The Government survived a defense motion for acquittal.\nIn United States v. Lofton, the Government could not introduce medical records\nbecause of another certification problem. The case was eventually dismissed by the\nCourt on other grounds.\n\nThe volume of claims involved in EDI applications such as Medicare EMC means that\nthere may not be any certification by a provider that he or she has rendered services\nsubmitted for reimbursement.     If provider agreements do not have uniform form and\ncontent, program integrity will be jeopardized and cases will be difficult to prosecute.\n\nAccording to a HCFA memorandum on EMC (written in July or August 1992), in\norder to submit claims via electronic media, a provider must first receive Automated\nClaims Input Authorization. This requires the provider to sign an agreement with the\ncontractor. Any agreement signed between the provider and the contractor must\nestablish clear guidelines for the handling of claims, as well as the assumption of\nresponsibility for the completeness, accuracy and truthfulness of all claims submitted\nvia electronic media.\n\nThe memo indicated that HCFA has not yet standardized provider agreements, but\nhas established guidelines which have \xe2\x80\x9cstandard key elements\xe2\x80\x9d for agreements (Blue\nCross/Blue Shield Medicare Agreement was attached as a model, but is a 1984 form).\nNo certification of accuracy or statement of liability is required.\n\x0cThe HCFA memo stated that most agreements require the provider to maintain all\noriginal source documents and medical records pertaining to any particular Medicare\nclaim for at least 6 years following the month of payment.\n\nThe HCFA welcomes the OIG\xe2\x80\x99S review of the standard EMC agreement currently\nbeing developed by HCFA. The OIG plans to review provider agreements and\ndetermine if they are adequate for ensuring accountability. This includes the\nresponsibilities of all parties in the EDI environment and the ownership of and\nresponsibility for Medicare and Medicaid data at each point in the data flow.\n\nchain of Cl@@\n\nProsecutors must prove who had custody and control of claim documentation at each\nstep of the billing process in order to successfully prosecute providers for fraudulent or\nabusive claims. A valid \xe2\x80\x9cchain of custody\xe2\x80\x9d will establish who was responsible for\ngenerating and storing electronic records. Record custodians must be able to account\nfor each link in the chain of events involved in producing the records. Should the\nGovernment fail to meet this challenge, it likely will be unable to introduce critical\nevidence.\n\nAccording to the HCFA memo, no audit requirements exist for reviewing\ndocumentation, validation, or electronic transmission flows; nor for reviewing screens,\nedits, or internal controls. No requirements exist for assessing system securi~, nor for\nreviewing cases for semice appropriateness, or for analyzing charges and costs for\nservices provided.\n\nThe memo indicated that (at least as of mid-1992) audits are not conducted for bills\nsubmitted electronically. The HCFA requires an annual \xe2\x80\x9cverification\xe2\x80\x9d for Medicare\nPart B EMC. However, with approved plans, contractors may extend the annual cycle\nfor verification of provider records. The standards require that the contractor review\na random sample of one percent of provider-submitted EMC. The verification is\nnarrow in focus. The purpose of the review is to establish that documentation for\nEMC is on file and is equivalent to that provided on a hard copy claim (a patient\nrecord exists, patient and physician signatures are on file, and other support\ndocumentation is available).\n\nBased on the above information, the audit requirements do not ensure that a valid\nchain of custody has been maintained at each step in the system.\n\nAs the HCFA paper recommended, some procedures should be developed to identify\neach individual systems operator to avoid diffusion of responsibility, thereby making it\neasier to hold a particular provider accountable. Furthermore, stringent audit\nrequirements should be developed to mandate review of internal controls and systems\nsecurity.\n\n\n\n\n                                            22\n\n\x0cAdequate systems safeguards are necessary to ensure that data is not misused or lost,\nand that unauthorized persons cannot access it. Since the sensitive information\ninvolved in EDI and paperless processing is subject to considerable fraud and abuse, it\nmust be properly protected to ensure provider accountability and thus be useful to\ninvestigations and prosecutions.\n\nAttestation and &\xe2\x80\x9cginator Authentication\n\nAttestation and originator authentication must be established to show provider\naccountability and thus are important evidentiary items in investigations and\nprosecutions of suspected fraudulent or abusive providers. Technological advances\nmay create new efficiencies in this. Among the issues of interest to the OIG are:\n\nF\t     Are there better methods to verify \xe2\x80\x9cattestation\xe2\x80\x9d (i.e., acknowledgment of a\n       submission by a provider) or \xe2\x80\x9coriginator authentication\xe2\x80\x9d (i.e., assurance that the\n       source of the message is the named originator and not some other entity) when\n       using personal identification numbers (PIN)?\n\n\xef\xbf\xbd\t     Has EDI technology advanced far enough to allow HCFA to consider\n       fingerprinting (electronically read thumb prints) and retina scanning as forms of\n       electronic signatures?\n\nAs part of its review of provider accountability, the OIG will assess whether Medicare\nand Medicaid systems allow for proper attestation and originator authentication.\n\nMaintaining Audit Zlaih\n\nLack of hard copy Medicare claims may adversely affect OIG\xe2\x80\x99S ability to establish\n\nprovider accountability (i.e., who submitted what claim and when, who received the\n\nclaim, and whether the claims accuracy can be verified). Without the necessary\n\ndocumentation, the Government will be unable to prove fraud or abuse since a\n\nprovider may contend that \xe2\x80\x9cI never reviewed the claim data.\xe2\x80\x9d Unless providers are\n\nrequired to retain hard copy of claims,\n\nmeaningful review which ensures provider accountability may not be possible. On the\n\nother hand, retention of hard copies of claims may negate or reduce some of the\n\nbenefits of moving to electronic submission of claims.\n\n\nA regulation issued by the National Archives and Records Administration,\n\n\xe2\x80\x9cRequirements for the Management of Electronic Records,\xe2\x80\x9d 36 CFR Part 1234, states\n\nthat electronic records may be admitted in Federal court proceedings if trustworthiness\n\nis established. Some of these requirements should be incorporated by HCFA to help\n\nensure that EMC data will be admissible in Federal Court.\n\n\nFurther, it is generally recognized that the need for accounts reconciliation, periodic\n\naudits, and recovery from emergency/disaster situations in an EDI and paperless\n\nprocessing environment, where no paper records maybe generated, necessitates the\n\n\n\n                                            23\n\x0cestablishment of a suitable electronic audit trail. With respect to Medicare\nEMC/EFT/ERN, specific requirements for this audit trail should be based on\nconsiderations of legality (e.g., covering time frames consistent with the statue of\nlimitations), audit cycles, structure of the overall Medicare claims process (i.e.,\nconsideration of the number of separate internal control areas), and technology (e.g.,\nelectronic media can experience degradation of data quality after no more than 2-3\nyears of storage without use).\n\nIn the course of our work in reviewing implementation of EMC/EFT in Medicare, we\nwill determine whether the EMC/EFT maintainers and operators are in compliance\nwith HCFA\xe2\x80\x99S requirements for audit trails and related processing controls, as well as\nwith requirements covering instructions to providers on record keeping to support\nclaims submitted.\n\n\n\n\n                                           24\n\n\x0c                            CONCLUSIONS\n\nBASIS FOR REPORT\n\nThis report    is in response to the Health Care Financing Administration\xe2\x80\x99s (HCFA)\nbriefing for   the Office of Inspector General (OIG) personnel on electronic data\ninterchange     (EDI) and paperless processing issues and its request for more\ninformation     on the OIG\xe2\x80\x99S concerns and plans.\n\nISSUES\n\nThis document has identified numerous issues and goals related to HCFAS use of\nEDI and paperless processing technology. Issues related to the overall strategy of the\nEDI and paperless processing initiative concern the development of systems such as\nthe Medicare Transaction System, and the further development and use the Medicaid\nManagement Information Systems, and the point-of-service claims management\nsystems under Medicaid. These systems will allow HCFA to process electronically\nsubmitted claims and manage information more efficiently. In order to facilitate the\nelectronic flow of claims, patient, and reimbursement data between providers, payers,\nand quality-of-care reviewers, HCFA must require standardization. To encourage\nproviders to submit claims and patient data electronically, HCFA must eliminate not\nonly barriers to provider participation, but also develop incentives. Various\ncompanion technologies, such as smart cards for computerized patient identification\nand medical records, and national data communications networks for transmission of\nhealth care data, will need further development. Additionally, HCFAS overall strategy\nmust encourage HCFA\xe2\x80\x99S information resources management program to address\nMedicare contractor systems and Federal Medicaid initiatives.\n\nThis document also raises issues regarding the trustworthiness and reliability of data as\nit moves from one partner in electronic commerce to another and from one process to\nanother. Issues raised with regard to electronic submission and processing of claims\ninclude the requirement that the confidentiality of personally-identifiable health\ninsurance data be strictly maintained and the privacy of patients be protected. In\norder to address the adequacy of management controls over operations and specific\nrequirements for controls to safeguard assets against waste, fraud, and abuse, internal\ncontrols must be reviewed. Audits and the systems certifications must be performed\nto ensure that all EDI and paperless processing systems are trustworthy and reliable,\nand that there is no Medicare contractor conflict of interest. For electronic contracts\nto be valid, they must be in compliance with the contract requirements of the NIST.\nFinally, HCFA must ensure the integrity of information, through the use of provider\nagreements, a valid chain of custody, attestation and originator authentication, and\nproper audit trails.\n\n\n\n\n                                            25\n\n\x0cFUTURE ACTION\n\nBecause of the large number of issues and the our limited resources, we cannot\npossibly examine nor audit all of the issues related to EDI and paperless processing.\nAs part of our oversight function, we plan to analyze all of the various issues listed\nabove for the purpose of preparing our workplan over the next few years. We also\nrecognize that HCFA has particular concerns about making its systems environment\nless susceptible to fraud and abuse and about the development of approaches for\nincreasing small provider participation in the EDI and paperless processing\nenvironment. With respect to fraud and abuse, we are currently in the survey phase\nof reviewing electronic controls in the Medicare program and with respect to small\nproviders, we are planning to study incentives for and barriers to small provider\nparticipation in EDI and paperless processing.\n\nAGENCY COMMENTS\nThe Health Care Financing Administration (HCFA) commented on a draft version of\nthis report. The HCFA suggested changes in the report to better reflect its activities\nand those of the Department with respect to EDI and paperless processing, made\nsuggestions about the focus of OIG\xe2\x80\x99S work in this area, and gave us technical\ncomments. We have revised our report to address many of HCFA\xe2\x80\x99S comments and\nalso provide additional comments on HCFA\xe2\x80\x99S response in Appendix B. The full text\nof HCFA\xe2\x80\x99S comments can be found in Appendix A.\n\n\n\n\n                                             26\n\n\x0c             APPENDIX          A\nHEALTH CARE FINANCING ADMINISTRATION   COMMENTS\n\x0c                                                                                           Health Care\n    /\xe2\x80\x99-        \xe2\x80\x9c,\n.\n\xef\xbf\xbd\n\n\n\n<          &          I) APARTMENT OF HEALTH & HUMAN SERVICES                              Finarwng Adm:ntatr-\n\n\n\n                                                                                           Memorandum\n\n                     DEC29*\n                     Bruce C. Vlade~\n                     Administrator   ~l&@+\n          Subject\t\n                     Office of Inspector Generai (OIG) Draft Repo~      \xe2\x80\x9cElectronic Data Interchange:\n                     Issues and Challenges\xe2\x80\x9d (OEI-12-93-OO080)\n          To\n                     June Gibbs Brown\n                     Inspector General\n\n\n                     We reviewed the subject draft report on electronic data interchange   (EDI) issues.\n\n                     OIG does a credible job in identifying the enormous number of issues, potentia.i\n                     problems and tasks confronting the Federal governrnen~ and the Health Care\n                     Financing Administration (HCFA) in particular, in moving to a more fully automated\n                     environment.   We are well aware of the monumental task facing HCFA with the\n                     implementation of ED I. We appreciate and share OIG\xe2\x80\x99S concerns regarding EDI and\n                     believe OIG has an important role in its development and implementation.    We l~k\n                     fortvard to working with OIG in this process. Our comments are attached for your\n                     review.\n\n                     Thank you for the opportunity to review and comment on this draft report        Please\n                     advise us if you wish to discuss our response.\n\n                     Attachment\n\x0c           Comments of the Health Care Financin~ A dministration (HCFA~\n              on the Office of Inmector General (OIGl Draft Reoox-c\n          . .  \xe2\x80\x9cElectronic Data Interchange:   Issues and Challenges\xe2\x80\x9d\n                                 (OEI-12-93-00080\\\n\n\nGeneral Comments\n\nOIG clearly demonstrates that it understands our goal of evolving Medicare and\nMedicaid into an all-electronic environrnen~ our pktns for achieving this goal, and the\nbarriers that must be crossed before this goal can be realized. However$ the report\nimplies that the Department of Health and Human Services (HHS) has not taken a\nleadership role in the development of computetid     patient records. On page 2 of the\nIntroduction and page 10 of the Companion Technologies section, for example, the\nreport does not fully acknowledge HI-M\xe2\x80\x99 leadership in this area. We think that the\nreport should be revised to reflect the following:\n\n      Establishment of an HHS computerized Patient Records Council to coordinate\n      various Departmental activities and promote HHS leadership in the\n      development of computer-based patient records systems. The council has met\n      twice and wiil presumably be the focus of HHS activities in this area in the\n      future.\n\n-      Partial funding, through the Agency for Health Care Poliq and Research, of\n       the activities of the American National Standards tititute\xe2\x80\x99s Health Informatics\n       Planning Panel (HISPP). The HISPP is coordinating various standard setting\n       efforts in the area of health informatics. SUChcoordination is essential to the\n       development of useful computerized patient records.\n\n       Participation in the deliberations   leading to the formation of the Computerized\n       Patient Records Institute.\n\n-      Participation in the American Hospital Association\xe2\x80\x99s Work Group on\n       Computerization of Patient Records. The work group was formed at the\n       request of former Secretary Sullivan and recently released its draft report to\n       Secretary Shalala.\n\n.      Establishment of a HCFA Electronic Environment Steering Committee and\n       participation in the Work Group for Electronic Data Interchange (WEDI) and\n       the American National Standards Institute (NSI),   to develop and implement\n       standardization not oniy between Medicaid and Medicare, but between these\n       programs and all other health care insurers.\n\x0cPage 2\n\nWe believe.~e definition of electronic dam ~terchange (EDI) is not fully set forth in\nthe report. AS sated in the introduction, EDI is the electronic transfer of data, in a\nstandard fol-ma~ between trading partners. It should be made clear that EDI relates\nonly to the data that are output from an applications system, e.g., a provider\xe2\x80\x99s billing\nsystem, and how those data are transported to another applications system, e.g., a\ncontractor\xe2\x80\x99s claim payment system. ED1 does not apply to how that applications\nsystem actually processes the data.\n\nh addition, we believe OIG would be far more effective and helpful to HCFA by\nfocusing its resources on those issues impacting most directly on the potential for\nfraud and abuse in the Medicare and Medicaid progrms (i.e., certifications,\naccountability, controls, integrity, confict of interes~ contracts, legal use of\ninformation, audit trails, and audits). We would we]come OIG\xe2\x80\x99S recommendations\nrelative to potential fraud and abuse issues.\n\nAlso, we believe O IG has an important role to play in reviewing the sufficiency of our\nsafeguards designed to ensure proper paymen~ We weicome OIG\xe2\x80\x99S review of the\nstandard Electronic Media Claim (EMC) agreement currently being developed. This\nstandard agreement will detail the responsibilities of all parties in the EDI\nenvironmen~ and specify the ownership of and responsibility for Medicare and\nMedicaid data at each point in the data flow.\n\nFinally, we suggest that OIG, in a separate repo~ develop tie issue of small provider\nconversion to EMC/electronic funds transfer (ET.          Once EDI reaches a \xe2\x80\x9ccriticd\nmass,\xe2\x80\x9d the continued use of manual paper data systems will become increasingly\ninefficient. In developing incentive or cost-subsidtition    programs for small providers,\nconsideration shouid be given to the burden and cost they will create for HCFA if\nthey do not interface with HCFA\xe2\x80\x99S electronic system.\n\nThe following comments are being offered under the designated headings reflected in\nthe Issues section of the repow.\n\nPOLICY DIRECTION\n\nMedicare Transaction Svstem (MTS): At the present the, MTS has not addressed\nthe issue of smart card technology. The basic methods of a~ess and entitlement\nverification are still being reviewed. Medicare and Medicaid program staff have\nattended the technical advisory group (TAG) meetings of WEDI. WEDI\nrecommended moving away from expensive smart card technology to the use of the\ndata base. This recommendation did not require that users opt for a plastic card for\nidentification. This TAG suggested that we study the use of computerized patient\nrecords in our medical review activities.\n\x0cPage 3\n\n\nMedicaid P6iht of Service (POS~ Claims Management Smtems: As noted in our\n\ncomments on a prwicms OIG repo~ (Point-Of-Service Claims Management Systems\n\nfor Medicai& OEI-01-91-00820, May 1992), we are fully committed to improving the\n\nefficiency of the State Medicaid Agency (SMA) Medicaid Management information\n\nSystems operations through standardization and tie use of electronic technology.\n\nSince this OIG report was issue~ eight SNIAs have reported implementation of POS\n\nsystems for pharmacies (including six systems with utilization review capability) MM\n\nthree of these systems being expanded and made available to providers other than\n\npharmacies. Ten additional SNlk are currently developing POS modules for\n\nimplementation by the end of calendar year 1993, and 21 of the remaining 33 SW\n\nare considering the development and implementation of POS modules for completion\n\nby late 1994.\n\n\nTHE NEED FOR A COHESIVE STRATEGIC SYSTEMS PLAN COVERING EDI\n\n\nHCFA is moving forward with a strategic planning initiative to streamline, consolidate,\n\nand integrate Medicare and Medicaid claims processing, including EDI. Stidiirbg\n\nof systems, providing appropriate incentives, and utitig  companion technologies are\n\ncritical goals and objectives of this initiative.\n\n\nPOLICY IMPLEMENTATION\n\n\nInternal Controls on EDI: This is an ongoing issue between HCFA and OIG\n\nregarding the adequacy of HCFA\xe2\x80\x99S management controls over operations and the\n\nsubject of extensive reviews by OIG. We perfo~ reviews deemed sufficient to ensure\n\nthat the Medicare contractors and SMAS have adequate internal controls. In the\n\ncourse of our oversight activities, we review many of the procedures and processes\n\n(i.e., internal controls) followed by the contractors. These oversight activities are\n\nperformed by both central office and regional office staffs. We perform reviews that\n\nare formal and repetitive in nature, and which are used to evaluate performance.\n\nThere are many other reviews and contacts that are less formal which arise to address\n\nspecific issues. In both cases, HCFA is aware of the importance of internal controls\n\n and evaluation activities in the area of EDI.\n\n\n Data Safeguards: Any electronic data exchange system must safeguard access to the\n\n system itself in order to protect the data within. This requires us to identify those who\n\n input da@ as well as those who use the da~ and it also requires periodic\n\n certifications and maintenance of a change of custody as the data move from user to\n\n user.\n\n\x0cPage 4\n\nIn both of the above area% HCFA is aware of the importance of internal controls and\nevaluation ~ckvities in the area of EDI. We welcome OIG\xe2\x80\x99S additional thoughts or\nrecommendations that would strengthen our operations.\n\nElectronic Funds Transfer (EF17 : On page 8, The HCFA Perspective, OIG expresses\nconcern about the changes that have been made in Medicare claims processing as a\nresult of the implementation of Medicare nation~ claims formats and EFT. The EFI\xe2\x80\x99\nsystems modifications were made by HCFA\xe2\x80\x99S standard system maintainers and\nconsisted primarily of installing the capability to initiate EFI\xe2\x80\x99 with the Medicare bank.\nThis function required system programming and liaison activities with the Medicare\nbank to ensure the establishment of proper Em transmission protocols.\n\nSince contractors initiate 13Ts and send these transmissions through the Medicare\nbank (the Automated Clearing House (ACH)), and ultimately to the provider\xe2\x80\x99s bank\nevexy precaution has been taken to ensure the accuracy and integrity of each\nelectronic payment transaction. The contracto~ Medicare ban~ and ACH operators\nare bound by strict operating guidelines and Federai regulations concerning the\ninitiation, transmission, and receipt of EFI\xe2\x80\x99s. The benefits accounting and reporting\nfunctions that occur with E17 transactions mirror those that currently exist under the\nchecks paid method of advancing funds under the Letter of Credit system. Therefore,\nwe do not anticipate that benefit payments made under EF\xe2\x80\x99I\xe2\x80\x99 will be vulnerable to\nerrors and/or fraud.\n\nSuecific Comments\n\nPage 9, second bullet point:\n\n         HCFA\xe2\x80\x99S goal is to increase the rate of Em   for Medicare payments made to\n         hospitals to 100 percent within 3 years.\n\nHCFA is currently reviewing public comments received in response to BPO-104-PN\nwhich was published on January 1S. This notice proposes to require hospitals to\nsubmit all inpatient and outpatient bills electronically and to receive payments and\nremittance advices electronically. In response to the many comments urging HCFA to\nextend the implementation timeframe for BP()-1()4.PIN, we anticipate that hospitals\nwill be given at least 6 months from the date of publication of tii final notice in which\nto comply with its requirements.   We anticipate that the final version of this notice will\nbe published no sooner than early in fiscai year 1994.\n\x0cPage 5\n\nPage 9, fourth-bullet   point:\n\n         OIG will determine      if HCFA adequately assessed benefits and costs.\n\nThe full benefits of EMC and EFl\xe2\x80\x9d are to be actieved in an integrated anti fully\ninteractive claims submission and payment entionmen~        Our estimates of the benefits\nand costs of En have always been wn~rvatie         and are predicated on the fact that\nEIW among physicians and suppliers will be implemented at a much slower rate than\nwith institutional providers. Because of the relatively low volume of payments made\nto institutional providers we have yet to realize si~fiat    cost savings from EFT\nusage. We anticipate that as the technology spreads throughout the entire provider\ncommunity, cost savings will increase dramatically.\n\nIn a recent OIG repo~ Electronic Funds Transfer for Medicaid Providers,\nOEI-01-91-00821, OIG recommended that HCFA ~ist States in developing billing\nagreements for providers who use electronic c1aimq remimce        advisorie$ and funds\ntransfers; and to develop guidelines for provider participation in Em. OIG agreed to\nconsider conducting an inspection or audit on tie benefits and costs of EFI\xe2\x80\x99 to help\nHCFA develop guidelines for States.\n\nPage 9, fifth builet point\n\n         OIG will determine if HCFA provided adequate        i.nstruction~ lead time, and\n         resources to the Medicare contractors.\n\nIn early 1990, HCFA began exploring Em technology for tie Medicare program.\nEm soon became a critical component of HCFA\xe2\x80\x99S co~itrnent          to establishing a\ntotally electronic billing and payment environment for all Medicare contractors and\nproviders. HCFA provided technical specification% procedural guidance, and\nappropriate funding throughout the implementation of ~.       T& SUpport continues\nas increasing numbers of Medicare providers elect to receive payments via EITI\xe2\x80\x99.\n\nPage 9, sixth bullet point:\n\n         OIG will determine if HCFA is tracking progress during implementation\n         sufficiently to identify problems and resolve them effectively and in a timely\n         manner.\n\n HCFA has been quite diligent in tracking the progress of contractors, providers, and\n SMAS in implementing EFT. Staff has worked in conjunction with the contractor\n community throughout the implementation process. HCFA circulated draft contractor\n instructions for several months prior to their effective date to ensure that all concerns\n were taken into consideration in the final product. All problems identified by\n contractors were addressed in a timely and professional manner.\n\x0cPage 6\n\nTechnicai Comments\n           ..\n\n         Page 3, last paragraph,   fourth line from bottom - replace \xe2\x80\x9ctranscribe\xe2\x80\x9d with\n\n         \xe2\x80\x9cinput.\xe2\x80\x9d\n\n\n         Page 6, first full paragraph, third line from bottom - remove the word\n\n         \xe2\x80\x9cprocessing\xe2\x80\x9d from the sentence. ANSI fo~at,s are for ~smission         of da~ not\n\n         processing. The \xe2\x80\x9cthey\xe2\x80\x9d used in the be@ing       of the last sentence needs to be\n\n         identified.\n\n\n         Page 6, third paragraph, third line from bottom - it is not clear what is meant\n\n         It\n          . . . that recordkeeping requirements in the insurance industxy as a whole\n\n         increase papenvork burden . . . .\xe2\x80\x9c Doctors need to keep records so that they\n\n         know what procedures they have performed on patien~ and to whom they have\n\n         referred the patiens etc.\n\n\n         Page 6, fouti paragraph, fourth sentence - HCFA is not planning to implement\n\n         an ANSI standard uniform billing form. ANSI is a data transmission standar~\n\n         not a billing form.\n\n\n         Page 6, last paragraph, fifth sentence - OIG references specific legislation which\n\n         would empower national standards organizations to establish mandatoxy\n\n         standards for electronic transmission and payment of claims please provide the\n\n         bill number and the session of Congress.\n\n\n         page 17, Program Safeguard~ first paragraph - OIG cites a paper written by\n\n         Peter Weiss on EDI. Please provide a citation for this paper.\n\n\x0c                            APPENDIX                   B\n\n                    OIG RESPONSE TO AGENCY COMMENTS\n\nThe Health Care Financing Administration (HCFA) commented on a draft version of\nthis report. The HCFA suggested changes in the report to better reflect its activities\nand those of the Department with respect to EDI and paperless processing, made\nsuggestions about the focus of OIG\xe2\x80\x99S work in this area, and gave us technical\ncomments. We have revised our report to address many of HCFAS comments and\nalso provide additional comments on HCFAS response below.\n\nGENERAL COMMENTS\n\nHCFA Comments\n\nThe HCFA believes that the OIG would be more effective and helpful to focus its\nresources on those issues impacting most directly on the potential for fraud and abuse\nin the Medicare and Medicaid programs (i.e., certifications, accountability, controls,\nintegrity, conflict of interests, contracts, legal use of information, audit trails, and\naudits).\n\nOIG Res~onse\n\nThe OIG recognizes that these areas are critically important and does plan to address\nthem in our current and upcoming reviews. The OIG believes, however, that the\nother areas identified in this report also will have a direct bearing on Medicare and\nMedicaid operational efficiency, controls, and economy, as well as on financial\nmanagement and reporting. Thus, OIG sees a need to address a broad range of EDI\nand paperless processing issues in its current and future work plans.\n\n\nHCFA Comments\n\nBecause the continued use of manual paper data systems will become increasingly\ninefficient, the HCFA has suggested that the OIG, in a separate report, develop the\nissue of small provider conversion to electronic media claims and electronic funds\ntransfer.\n\nOIG Response\n\nThe OIG has developed a workplan item, \xe2\x80\x9cAdding Incentives and Removing Barriers\nto Provider Participation in EDI and Paperless Processing.\xe2\x80\x9d The purpose of this study\nis to assess how different providers can be brought into the EDI and paperless\nprocessing environment, what barriers exist for providers, and whether HCFAS efforts\naddress those barriers and provide proper incentives for providers.\n\n\n\n\n                                          B-1\n\n\x0cINCENTIVES AND BARRIERS\n\nHCFA Comments\n\nIn response to this report on the issue of HCFA\xe2\x80\x99S goal to increase the rate of EFT for\nMedicare payments made to hospital to 100 percent within 3 years, HCFA indicated\nthat it was reviewing public comments received in a response to its proposed notice\npublished January 15, 1993. This notice was intended to promote the use of\nstandardized electronic billing and payment by hospitals. Since then, HCFA concluded\nthat it had no legal authority to penalize hospitals that fail to comply with the notice.\nWhen HCFA withdrew this notice on January 24, 1994, HCFA stated that the hospital\nelectronic media claims submission rates exceeded 90 percent.\n\nOIG Resuonse\n\nThe OIG is pleased to see that HCFA has achieved a rate of EFT for Medicare\npayments made to hospitals exceeding 90 percent, but OIG is concerned about the\nremaining hospitals that do not participate in the use of standardized electronic billing\nand payment mechanisms. As we have indicated in this report, we plan to look at\nprovider participation in EFT as part of our review of Medicare claims processing.\n\x0c              APPENDIX                      C\n\n           ACRONYMS USED IN THIS REPORT\n\nANSI          American National Standards Institute\n\nATM           automatic teller machine\n\nBPO           Bureau of Program Operations\n\nCHAMPUS\t      Civilian Health and Medical Program of the\n              Uniform Services\n\nCMN           Certificate of Medical Necessity\n\nCPR           computer-based   patient record\n\nCPRI          Computer-Based    Patient Record Institute\n\nDME           durable medical equipment\n\nDUR           drug utilization review\n\nEDI           electronic data interchange\n\nEFT           electronic funds transfer\n\nEMC           electronic media claims\n\nERN           electronic remittance notices\n\nFAMIS\xef\xbf\xbd        Family Assistance Management       Information\n              Systems\n\nFMFIA         Federal Managers\xe2\x80\x99 Financial Integrity Act\n\nGAO           General Accounting Office\n\nHCFA          Health Care Financing Administration\n\nHHS           Health and Human Se~ices\n\nIOM           Institute of Medicine\n\nIRM           information resources management\n\n\n\n\n                            c-l\n\n\x0cMMIS   Medicaid Management       Information Systems\n\nMTS    Medicare Transaction System\n\nNIST   National Institute of Standards and\n       Technology\n\nOBRA   Omnibus Budget Reconciliation     Act\n\nOIG    Office of Inspector General\n\nPIN    personal identification numbers\n\nPos\n   point of service\n\nPRO    Peer Review Organization\n\nSMA\n   State Medicaid agencies\n\nWEDI   Workgroup for Electronic Data Interchange\n\n\n\n\n                      c-2\n\x0c'